Despite its popularity, no written specification or standard existed for the PHP language until 2014, leaving the canonical PHP interpreter as a de facto standard. Since 2014, there is ongoing work on creating a formal PHP specification.[10]

PHP/FI could be used to build simple, dynamic web applications. Lerdorf initially announced the release of PHP/FI as "Personal Home Page Tools (PHP Tools) version 1.0" publicly to accelerate bug location and improve the code, on the Usenet discussion group comp.infosystems.www.authoring.cgi on June 8, 1995.[14][15] This release already had the basic functionality that PHP has as of 2013[update]. This included Perl-like variables, form handling, and the ability to embed HTML. The syntax resembled that of Perl but was simpler, more limited and less consistent.[6]

Early PHP was not intended to be a new programming language, and grew organically, with Lerdorf noting in retrospect: "I don’t know how to stop it, there was never any intent to write a programming language […] I have absolutely no idea how to write a programming language, I just kept adding the next logical step on the way."[16] A development team began to form and, after months of work and beta testing, officially released PHP/FI 2 in November 1997.

One criticism of PHP is that it was not originally designed, but instead it was developed organically;[16] among other things, this has led to inconsistent naming of functions and inconsistent ordering of their parameters.[17] In some cases, the function names were chosen to match the lower-level libraries which PHP was "wrapping",[18] while in some very early versions of PHP the length of the function names was used internally as a hash function, so names were chosen to improve the distribution of hash values.[19]

On May 22, 2000, PHP 4, powered by the Zend Engine 1.0, was released.[6] As of August 2008 this branch reached version 4.4.9. PHP 4 is no longer under development nor will any security updates be released.[21][22]

On July 13, 2004, PHP 5 was released, powered by the new Zend Engine II.[6] PHP 5 included new features such as improved support for object-oriented programming, the PHP Data Objects (PDO) extension (which defines a lightweight and consistent interface for accessing databases), and numerous performance enhancements.[23] In 2008 PHP 5 became the only stable version under development. Late static binding had been missing from PHP and was added in version 5.3.[24][25]

Many high-profile open-source projects ceased to support PHP 4 in new code as of February 5, 2008, because of the GoPHP5 initiative,[26] provided by a consortium of PHP developers promoting the transition from PHP 4 to PHP 5.[27][28]

Over time, PHP interpreters became available on most existing 32-bit and 64-bit operating systems, either by building them from the PHP source code, or by using pre-built binaries.[29] For the PHP versions 5.3 and 5.4, the only available Microsoft Windows binary distributions were 32-bit x86 builds,[30][31] requiring Windows 32-bit compatibility mode while using Internet Information Services (IIS) on a 64-bit Windows platform. PHP version 5.5 made the 64-bit x86-64 builds available for Microsoft Windows.[32]

PHP received mixed reviews due to lacking native Unicode support at the core language level.[33][34] In 2005, a project headed by Andrei Zmievski was initiated to bring native Unicode support throughout PHP, by embedding the International Components for Unicode (ICU) library, and representing text strings as UTF-16 internally.[35] Since this would cause major changes both to the internals of the language and to user code, it was planned to release this as version 6.0 of the language, along with other major features then in development.[36]

However, a shortage of developers who understood the necessary changes, and performance problems arising from conversion to and from UTF-16, which is rarely used in a web context, led to delays in the project.[37] As a result, a PHP 5.3 release was created in 2009, with many non-Unicode features back-ported from PHP 6, notably namespaces. In March 2010, the project in its current form was officially abandoned, and a PHP 5.4 release was prepared containing most remaining non-Unicode features from PHP 6, such as traits and closure re-binding.[38] Initial hopes were that a new plan would be formed for Unicode integration, but as of 2014 none has been adopted.

As of 2014[update], work is underway on a new major PHP version named PHP 7. There was some dispute as to whether the next major version of PHP was to be called PHP 6 or PHP 7. While the PHP 6 unicode experiment had never been released, a number of articles and book titles referenced the old PHP 6 name, which might have caused confusion if a new release were to reuse the PHP 6 name.[39] After a vote, the name PHP 7 was chosen.[40]

PHP 7 gets its foundations from an experimental PHP branch that was originally named phpng (PHP next generation), which aims at optimizing PHP performance by refactoring the Zend Engine while retaining near-complete language compatibility.[41] As of 14 July 2014[update], WordPress-based benchmarks, which serve as the main benchmark suite for phpng project, show an almost 100% increase in performance. Changes from phpng are also expected to make it easier to improve performance in the future, as more compact data structures and other changes are seen as better suited for a successful migration to a just-in-time (JIT) compiler.[42] Because of the significant changes, this reworked Zend Engine will be called Zend Engine 3, succeeding the Zend Engine 2 used in PHP 5.[43]

In terms of new language features, PHP 7 will add features such as return type declarations,[44] which will complement its existing parameter type declarations. PHP 7 will also contain an improved variable syntax which is internally consistent and complete, resolving a long-standing issue in PHP, what will allow use of ->, [], (), {}, and :: operators with arbitrary meaningful left-hand-side expressions.[45]

Namespace support; late static bindings, jump label (limited goto), closures, PHP archives (phar), garbage collection for circular references, improved Windows support, sqlite3, mysqlnd as a replacement for libmysql as underlying library for the extensions that work with MySQL, fileinfo as a replacement for mime_magic for better MIME support, the Internationalization extension, and deprecation of ereg extension.

Constant scalar expressions, variadic functions, argument unpacking, new exponentiation operator, extensions of the use statement for functions and constants, new phpdbg debugger as a SAPI module, and other smaller improvements.[56]

Beginning on June 28, 2011, the PHP Group began following a timeline for when new versions of PHP will be released.[54] Under this timeline, at least one release should occur every month. Once per year, a minor release should occur which can include new features. Every minor release should at least have two years of security and bug fixes, followed by at least one year of security-only fixes, for a total of a three-year release process for every minor release. No new features (unless small and self-contained) will be introduced into a minor release during the three-year release process.

However, as PHP does not need to be embedded in HTML or used with a web server, the simplest version of a Hello World program can be written like this, with the closing tag omitted as preferred in files containing pure PHP code[65] (prior to PHP 5.4.0, this short syntax for echo() only works with the short_open_tag configuration setting enabled, while for PHP 5.4.0 and later it is always available):[66][67][68]

<?='Hello world';

The PHP interpreter only executes PHP code within its delimiters. Anything outside its delimiters is not processed by PHP (although non-PHP text is still subject to control structures described in PHP code). The most common delimiters are <?php to open and ?> to close PHP sections. <script language="php"> and </script> delimiters are also available, as are the shortened forms <? or <?= (which is used to echo back a string or variable) and ?> as well as ASP-style short forms <% or <%= and %>. Short delimiters make script files less portable, since support for them can be disabled in the local PHP configuration, and they are therefore discouraged.[68][69] The purpose of all these delimiters is to separate PHP code from non-PHP code, including HTML.[70]

The first form of delimiters, <?php and ?>, in XHTML and other XML documents, creates correctly formed XML "processing instructions".[71] This means that the resulting mixture of PHP code and other markup in the server-side file is itself well-formed XML.

Variables are prefixed with a dollar symbol, and a type does not need to be specified in advance. PHP 5 introduced type hinting that allows functions to force their parameters to be objects of a specific class, arrays, interfaces or callback functions. However, type hints can not be used with scalar types such as integer or string.[72]

Unlike function and class names, variable names are case sensitive. Both double-quoted ("") and heredoc strings provide the ability to interpolate a variable's value into the string.[73] PHP treats newlines as whitespace in the manner of a free-form language, and statements are terminated by a semicolon.[74] PHP has three types of comment syntax: /* */ marks block and inline comments; // as well as # are used for one-line comments.[75] The echo statement is one of several facilities PHP provides to output text, e.g., to a web browser.

In terms of keywords and language syntax, PHP is similar to most high level languages that follow the C style syntax. if conditions, for and while loops, and function returns are similar in syntax to languages such as C, C++, C#, Java and Perl.

PHP stores whole numbers in a platform-dependent range, either a 64-bit or 32-bit signedinteger equivalent to the C-language long type. Unsigned integers are converted to signed values in certain situations; this behavior is different from other programming languages.[76] Integer variables can be assigned using decimal (positive and negative), octal, hexadecimal, and binary notations.

Floating point numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two forms of scientific notation.[77] PHP has a native Boolean type that is similar to the native Boolean types in Java and C++. Using the Boolean type conversion rules, non-zero values are interpreted as true and zero as false, as in Perl and C++.[77]

The null data type represents a variable that has no value; NULL is the only allowed value for this data type.[77]

Variables of the "resource" type represent references to resources from external sources. These are typically created by functions from a particular extension, and can only be processed by functions from the same extension; examples include file, image, and database resources.[77]

Arrays can contain elements of any type that PHP can handle, including resources, objects, and even other arrays. Order is preserved in lists of values and in hashes with both keys and values, and the two can be intermingled.[77] PHP also supports strings, which can be used with single quotes, double quotes, nowdoc or heredoc syntax.[78]

PHP has hundreds of functions provided by the core language functionality and thousands more available via various extensions; these functions are well documented in the online PHP documentation.[80] However, the built-in library has a wide variety of naming conventions and associated inconsistencies, as described under history above.

Additional functions can be defined by the developer:

function myAge($birthYear)// defines a function, this one is named "myAge"{$yearsOld=date('Y')-$birthYear;// calculates the agereturn$yearsOld.' year'.($yearsOld!=1 ? 's':'');// returns the age in a descriptive form}echo'I am currently '. myAge(1981).' old.';// outputs the text concatenated// with the return value of myAge()// As the result of this syntax, myAge() is called.// In 2014, the output of this sample program will be 'I am currently 33 years old.'

In PHP, normal functions are not first-class and can only be referenced by their name directly, or dynamically by a variable containing the name of the function (referred to as "variable functions"). User-defined functions can be created at any time without being prototyped.[80][81] Functions can be defined inside code blocks, permitting a run-time decision as to whether or not a function should be defined. Function calls must use parentheses, with the exception of zero-argument class constructor functions called with the PHP new operator, where parentheses are optional.

Until PHP 5.3, support for true anonymous functions or closures did not exist in PHP. While create_function() exists since PHP 4.0.1, it is merely a thin wrapper around eval() that allows normal PHP functions to be created during program execution.[82] Also, support for variable functions allows normal PHP functions to be used, for example, as callbacks or within function tables.[81] PHP 5.3 added support for closures, which are true anonymous, first-class functions,[83] whose syntax can be seen in the following example:

In the example above, getAdder() function creates a closure using passed argument $x (the keyword use imports a variable from the lexical context), which takes an additional argument $y, and returns the created closure to the caller. Such a function is a first-class object, meaning that it can be stored in a variable, passed as a parameter to other functions, etc.[84]

When flock() is called, PHP opens a file and tries to lock it. The target label retry: defines the point to which execution should return if flock() is unsuccessful and goto retry; is called. The goto statement is restricted and requires that the target label be in the same file and context.

Basic object-oriented programming functionality was added in PHP 3 and improved in PHP 4.[6] Object handling was completely rewritten for PHP 5, expanding the feature set and enhancing performance.[85] In previous versions of PHP, objects were handled like value types.[85] The drawback of this method was that the whole object was copied when a variable was assigned or passed as a parameter to a method. In the new approach, objects are referenced by handle, and not by value.

If the developer creates a copy of an object using the reserved word clone, the Zend engine will check whether a __clone() method has been defined. If not, it will call a default __clone() which will copy the object's properties. If a __clone() method is defined, then it will be responsible for setting the necessary properties in the created object. For convenience, the engine will supply a function that imports the properties of the source object, so the programmer can start with a by-value replica of the source object and only override properties that need to be changed.[87]

The visibility of PHP properties and methods is defined using the keywordspublic, private, and protected. The default is public, if only var is used; var is a synonym for public. Items declared public can be accessed everywhere. protected limits access to inherited classes (and to the class that defines the item). private limits visibility only to the class that defines the item.[88] Objects of the same type have access to each other's private and protected members even though they are not the same instance. PHP's member visibility features have sometimes been described as "highly useful."[89] However, they have also sometimes been described as "at best irrelevant and at worst positively harmful."[90]

The original, only complete and most widely used PHP implementation is powered by the Zend Engine and known simply as PHP. To disambiguate it from other implementations, it is sometimes unofficially referred to as "Zend PHP". The Zend Engine compiles PHP source code on-the-fly into an internal format that it can execute, thus it works as an interpreter.[91][92] It is also the "reference implementation" of PHP, as PHP has no formal specification, and so the semantics of Zend PHP define the semantics of PHP itself. Due to the complex and nuanced semantics of PHP, defined by how Zend works, it is difficult for competing implementations to offer complete compatibility.

PHP's single-request-per-script-execution model, and the fact the Zend Engine is an interpreter, lead to inefficiency. As a result, various products have been developed to help improve PHP performance. In order to speed up execution time and not have to compile the PHP source code every time the web page is accessed, PHP scripts can also be deployed in the PHP engine's internal format by using an opcode cache, which works by caching the compiled form of a PHP script (opcodes) in shared memory to avoid the overhead of parsing and compiling the code every time the script runs. An opcode cache, Zend Opcache, is built into PHP since version 5.5.[93] Another example of a widely used opcode cache is the Alternative PHP Cache (APC), which is available as a PECL extension.[94]

While Zend PHP is still the most popular implementation, several other implementations have been developed. Some of these are compilers or support JIT compilation, and hence offer performance benefits over Zend PHP at the expense of lacking full PHP compatibility. Alternative implementations include the following:

HipHop Virtual Machine (HHVM) – developed at Facebook and available as open source, it converts PHP code into a high-level bytecode (commonly known as an intermediate language), which is then translated into x86-64 machine code dynamically at runtime by a just-in-time (JIT) compiler, resulting in up to 6× performance improvements.[95]

Parrot – a virtual machine designed to run dynamic languages efficiently; Pipp transforms the PHP source code into the Parrot intermediate representation, which is then translated into the Parrot's bytecode and executed by the virtual machine.

HipHop – developed at Facebook and available as open source, it transforms the PHP scripts into C++ code and then compiles the resulting code, reducing the server load up to 50%. In early 2013, Facebook deprecated it in favor of HHVM due to multiple reasons, including deployment difficulties and lack of support for the whole PHP language, including the create_function() and eval() constructs.[96]

Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo".

This restriction on use of the name PHP makes the PHP License incompatible with the GNU General Public License (GPL), while the Zend License is incompatible due to an advertising clause similar to that of the original license of BSD.[98]

Some other projects, such as Zephir, provide the ability for PHP extensions to be created in a high-level language and compiled into native PHP extensions. Such an approach, instead of writing PHP extensions directly in C, simplifies the development of extensions and reduces the time required for programming and testing.[109]

PHP-FPM (FastCGI Process Manager) is an alternative FastCGI implementation for PHP, bundled with the official PHP distribution since version 5.3.3.[111] When compared to the older FastCGI implementation, it contains some additional features, mostly useful for heavily loaded web servers.[112]

When using PHP for command-line scripting, a PHP command-line interface (CLI) executable is needed. PHP supports a CLI SAPI as of PHP 4.3.0.[113] The main focus of this SAPI is developing shell applications using PHP. There are quite a few differences between the CLI SAPI and other SAPIs, although they do share many of the same behaviors.[114]

PHP can also be used for writing desktop graphical user interface (GUI) applications, by using the PHP-GTK extension. PHP-GTK is not included in the official PHP distribution,[110] and as an extension it can be used only with PHP versions 5.1.0 and newer. The most common way of installing PHP-GTK is compiling it from the source code.[115]

Numerous configuration options are supported, affecting both core PHP features and extensions.[118][119] Configuration file php.ini is searched for in different locations, depending on the way PHP is used.[120] The configuration file is split into various sections,[121] while some of the configuration options can be also set within the web server configuration.[122]

PHP acts primarily as a filter,[124] taking input from a file or stream containing text and/or PHP instructions and outputting another stream of data. Most commonly the output will be HTML, although it could be JSON, XML or binary data such as image or audio formats. Since PHP 4, the PHP parsercompiles input to produce bytecode for processing by the Zend Engine, giving improved performance over its interpreter predecessor.[125]

The LAMP architecture has become popular in the web industry as a way of deploying web applications.[128] PHP is commonly used as the P in this bundle alongside Linux, Apache and MySQL, although the P may also refer to Python, Perl, or some mix of the three. Similar packages, WAMP and MAMP, are also available for Windows and OS X, with the first letter standing for the respective operating system. Although both PHP and Apache are provided as part of the Mac OS X base install, users of these packages seek a simpler installation mechanism that can be more easily kept up to date.

For specific and more advanced usage scenarios, PHP offers a well defined and documented way for writing custom extensions in C or C++.[140][141][142][143][144][145][146] Besides extending the language itself in form of additional libraries, extensions are providing a way for improving execution speed where it is critical and there is room for improvements by using a true compiled language.[147][148] PHP also offers well defined ways for embedding itself into other software projects. That way PHP can be easily used as an internal scripting language for another project, also providing tight interfacing with the project's specific internal data structures.[149]

PHP received mixed reviews due to lacking support for multithreading at the core language level,[150] though using threads is made possible by the "pthreads" PECL extension.[151][152]

In 2013, 9% of all vulnerabilities listed by the National Vulnerability Database were linked to PHP;[153] historically, about 30% of all vulnerabilities listed since 1996 in this database are linked to PHP. Technical security flaws of the language itself or of its core libraries are not frequent (22 in 2009, about 1% of the total although PHP applies to about 20% of programs listed).[154] Recognizing that programmers make mistakes, some languages include taint checking to automatically detect the lack of input validation which induces many issues. Such a feature is being developed for PHP,[155] but its inclusion into a release has been rejected several times in the past.[156][157]

There are advanced protection patches such as Suhosin and Hardening-Patch, especially designed for web hosting environments.[158]

There are certain language features and configuration parameters (primarily the default values for such runtime settings) that make PHP prone to security issues. Among these, magic_quotes_gpc and register_globals[159] configuration directives are the best known; the latter made any URL parameters become PHP variables, opening a path for serious security vulnerabilities by allowing an attacker to set the value of any uninitialized global variable and interfere with the execution of a PHP script. Support for "magic quotes" and "register globals" has been deprecated as of PHP 5.3.0, and removed as of PHP 5.4.0.[159][160]

Another example for the runtime settings vulnerability comes from failing to disable PHP execution (via engine configuration directive)[161] for the directory where uploaded images are stored; leaving the default settings can result in execution of malicious PHP code embedded within the uploaded images.[162][163][164] Also, leaving enabled the dynamic loading of PHP extensions (via enable_dl configuration directive)[165] in a shared web hosting environment can lead to security issues.[166][167]

Also, implied type conversions that result in incompatible values being treated as identical against the programmer's intent can lead to security issues. For example, the result of "0e1234" == "0" comparison will be true because the first compared value will be treated as scientific notation of a number (0×101234) with value of zero. This feature resulted in authentication vulnerabilities in Simple Machines Forum,[168]Typo3[169] and phpBB[170] when MD5password hashes were compared. Instead, identity operator (===) should be used; "0e1234" === "0" results in false.[171]